Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Shaders.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    18/01/2025, 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shaders.exe

  • Size

    202KB

  • MD5

    9fd12f9e1dd9ca2748dbfec00f868314

  • SHA1

    67b2d937e3575e5aa1a2ff1f6cadfbbd8c61155f

  • SHA256

    3d4982f32861d80eb59f194600422d2dabc6b0848a4fc81afeb3e82f8575589d

  • SHA512

    e4eeaf5d684c6f68d04e94f73bc9b2f379d18e092e000ca26ea9b5254f6f4caf532da1b8039279ef2629ba7e2a01b2e6242178c6f5cfd5d677062a9021bf70f1

  • SSDEEP

    6144:QLV6Bta6dtJmakIM5rtDv+1ECGhAIgeHYuq:QLV6Btpmkeb+kXxHYj

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shaders.exe
    "C:\Users\Admin\AppData\Local\Temp\Shaders.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3336
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 26921 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02b46323-5f4a-4862-afe7-5e472389b81a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" gpu
        3⤵
          PID:3668
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2068 -prefMapHandle 2388 -prefsLen 26799 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2cff42d-30d3-4ae2-80ac-7e6b7ccac882} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" socket
          3⤵
            PID:4776
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2856 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2868 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcbb8055-706f-4048-a648-e0b04d38eb14} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
            3⤵
              PID:4728
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 32173 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f8f1ff4-93cc-4e2e-bf32-8764a66638a1} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
              3⤵
                PID:472
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 32173 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a36d6aab-6ca4-4c90-9e5e-8a5dd4d12b8c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" utility
                3⤵
                • Checks processor information in registry
                PID:760
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5336 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddcdf16c-68fc-4a02-be06-80f048aa5b40} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
                3⤵
                  PID:5048
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a0a490-3a8e-4c37-a951-6cc72781499c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
                  3⤵
                    PID:1836
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5780 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e34e46-1708-44b3-81e7-e54e2bbee755} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
                    3⤵
                      PID:60

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l2vosokn.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  25KB

                  MD5

                  c6c965445b675435bd3a41761a3a19ab

                  SHA1

                  d052d89b06fa224d7d6960de2eadfbb81674b87f

                  SHA256

                  45c54ed50ecb1683f6d898bb7ef06975f983d0844f1b4a4756774044539814a5

                  SHA512

                  6ae9c96a1c0b131e0a983d4c64b9f2ee6e3ca907740602b423af1a5d29a81affadd52587a3fc4aeac897a082a8f8a560e7c93a6f906d66fe0dfc235c2586e719

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  c2db6adbdbaa47cc89b2814a4ebef22c

                  SHA1

                  b4973020c6174c51a5e5e57b3a8c8642f5cfa46c

                  SHA256

                  1bb5908b9e18ce56d3d8f4f1ca49df825c4c2e25e5ed5a682342ebfc7d9e3efc

                  SHA512

                  0406ec3f3e189bcf3e5de5e8a984b2d0f45ea5020f1b7f416c82e10b7cf6d3d42f77a7171e47440cfab2e627d00410879427a032e6efa98b0b74e7acf3cfc5cf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  13f3f0785922407432b37756829c8839

                  SHA1

                  71c6415299cddc6afd41c6d065386c870397980b

                  SHA256

                  22845be841058aa75f3ada431ce0d163329e2360e4cc85486fc0250e8c54addf

                  SHA512

                  8eabfa2d79fa09c4bce5deaf4543237b5e135c379d1fae94f2fc57e3cfc3c64cd252df65d2a0b25daf0615b0237cfb947f53f38cba0da8eedf35b267f2163c28

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\datareporting\glean\pending_pings\7239b33d-572e-4f47-a68d-c8225ff788a8
                  Filesize

                  982B

                  MD5

                  518b60d1ce0cd4405e9eadacadae4e8f

                  SHA1

                  fd9b691da1e3c7c6e886979bf9d976a5e31bcb47

                  SHA256

                  df18db555232b031435f29086b8cc16d08ec0f455a96024f118a83900473069b

                  SHA512

                  d2397a4aa7acc622eef21dfe6bd79ae9c321c944ee7add4b399fcd060bc8d95ff72d7a5b72c7175114e6e609f08a35d566435f7165db0c9d8be883827843f3ff

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\datareporting\glean\pending_pings\a0ce64d2-1c0a-4414-bda4-d5024a5d1810
                  Filesize

                  671B

                  MD5

                  cdd15024251331fb86e84e69a5879742

                  SHA1

                  45cbbbbdad5726ee014cae63a351b696f5019ea1

                  SHA256

                  4f8d242be0d6c57605f03d2e609c59b52035dc1779ce1ab7f2b45439dc04f4b3

                  SHA512

                  f49acb9750c8467d15d929e48443b66fd0b6ce86d16400ac7372f8555719194ede71146b51e14b74ea250b9e7c44911f6c682705da0ce4c2b35f93f1abd8044d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\datareporting\glean\pending_pings\c282bec6-5813-4f6a-b99f-1bd122ebecd0
                  Filesize

                  25KB

                  MD5

                  ebc8dfb5eba75f0e0f42e8cde17a6193

                  SHA1

                  7ceaee58b16e2a17ec1c027bd45bff992bf6dbec

                  SHA256

                  678fbe4698a8320c8b2153a5690a7a1948d70df08f85bdfdc38af466c761fb9e

                  SHA512

                  ad805a8ed9db7d3eeca43710b49b7672bf7aae7bc518440718a3cfe7e53356fd737990aee01cc120ce08c4ef6047126e7ebba43788fffd3702a48c4ba0516368

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\prefs.js
                  Filesize

                  9KB

                  MD5

                  a4a7b204d84cab275ef4da78211fa5c5

                  SHA1

                  fdaeb1da2aa05663e12894744226a8c0d0380717

                  SHA256

                  1addb2bceb0fa5a71c2059577e3cd38245192c669c0f8eb872e93cfb886288c5

                  SHA512

                  246a2abaaf5b833dd3b8edd452ae1a89d6e2150a5dd0f324d073e9443343b11fd15748f603f455742e5a1882b49fd07b8e4d9c8043344d27dd176c43ba4e519e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l2vosokn.default-release\prefs.js
                  Filesize

                  9KB

                  MD5

                  f7a0e6b5771e9ed4eb2b5a456a0cebe4

                  SHA1

                  e4834080c07472266bc0f926dbda112bd4dff6f0

                  SHA256

                  3545bbb02f5c208d1684d20b3fccd6eae7060205c632d5c6e57554ecc7469cb3

                  SHA512

                  3f736f9d5c3e53368d7e274447076e35362721f9195724d5f04ef6f141b9ee2c4bfad358a00669af5d629aef026304fa021691f63e53fea1d771317896929f97

                  Download Submit

                • memory/3336-7-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-2-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-8-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-4-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-0-0x0000000075502000-0x0000000075503000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3336-1-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-6-0x0000000075500000-0x0000000075AB1000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3336-5-0x0000000075502000-0x0000000075503000-memory.dmp

                  Filesize

                  4KB

                  Download